1. Field of the Invention
Principles of the invention relate generally to network security and, more particularly, to managing secure communication sessions through a network gateway device.
2. Description of Related Art
A corporation may protect its network in a number of different ways. For example, a corporate security infrastructure may include firewalls, intrusion detection, Uniform Resource Locator (URL) filtering, and content inspection. Further, corporations may enforce certain procedures that must be followed by employees who wish to use processing devices to access the corporate network from within the office.
Telecommuters, mobile employees, remote business partners, etc. may desire remote access to a corporate network. At least some of these users may wish to access the corporate network over the Internet or via another network or group of networks.
One class of secure remote access technology that is gaining in popularity is the so-called Secure Sockets Layer (SSL) Virtual Private Network (VPN) connection. SSL VPNs compete with IP Security Protocol (IPSec) VPNs and have a number of potential advantages over IPSec VPNs, including application access flexibility, high security, and overall simplicity.
SSL VPNs may be implemented through an SSL VPN gateway device, which makes client/server applications available to remote users (“clients”) through standard Internet browser software. The “back-end” server devices in a corporate network can securely connect with remote clients using security provided through an SSL connection, which is typically a standard feature in browsers. The SSL VPN gateway may operate in the application layer to communicate with the back-end servers and then transmit the information obtained from the back-end servers to the client's web browser. The back-end servers may be executing various corporate applications. The SSL VPN gateway may use built-in “screen scraping” protocols to split the emulation and display processing of the corporate applications so that only the applications' display is sent to the client browser. In this manner, corporate resources/applications can be made available to remote clients without requiring significant, or in some cases any, customization of the client computers.
A back-end server in an SSL VPN system may use a number of different techniques to manage and distribute data to clients. For example, the back-end server may be a server that delivers markup data to a browser at the client. One existing format for storing and managing data is the Extensible Markup Language (XML) format. XML is a general-purpose markup language capable of describing many different kinds of data. XML files typically describe data, but do not specify how the data is to be formatted or displayed. When XML data is presented to a user, it may first be transformed using a language such as XSLT (eXtensible Stylesheet Language Transformations) to produce a file encoded to describe how the file is to be formatted. A common example of the usage of XML and XSLT is to store data at a server in XML format. When the data is requested by a particular client device, the XML file is sent to the client with an XSLT script that is appropriate for the client. The client may then form the XML file for display based on the transformations specified in the XSLT script.
A problem that can occur when sending XML data and XSLT scripts through an SSL VPN gateway is that the XSLT scripts may contain later binding uniform resource locator (URL)-based link entities that are to be resolved at the client side. In other words, the scripts may contain links that cannot be fully defined until the XML data files and XSLT scripts are merged at the client. The links may resolve to additional resources on the back-end server. In the situation in which the back-end server is behind the SSL VPN gateway, however, the later binding URL-based link entities may not be directly reachable from the client because the SSL VPN gateway blocks the client from directly accessing the back-end server.
One existing solution to the above-mentioned problem is to install client-side software entities that examine the URL-based links as they are resolved at the client and rewrite them to point back to the SSL VPN gateway for eventual forwarding to the back-end server. This can be inconvenient for the client, however, as it requires each client to be installed with the client-side software entity.